Thread: Yahoo DNS Abuse

    #1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2011
    Posts
    289
    Rep Power
    45

    Yahoo DNS Abuse


    Am I the only one having a problem with Yahoo DNS servers bombarding our server with type 99 (SPF) requests. The maximum number of requests received one day last week was 55,987, but it looks like today may set a new record.

    J.A. Coutts
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2010
    Location
    Florida
    Posts
    248
    Rep Power
    4
    Could be people spoofing sending mail from your domain and yahoo's servers just doing the proper procedure for spf enforcing. You can try setting the TTL for the TXT/SPF statement higher. It may cut back on the queries (unless they do a lookup per email coming in). Probably better to have SPF queries coming in than spammers getting your domain blacklisted.

    Or it could be someone just using their servers will ill intent. Are the servers querying you open to recursion?
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2011
    Posts
    289
    Rep Power
    45
    Originally Posted by CaptPikel
    Could be people spoofing sending mail from your domain and yahoo's servers just doing the proper procedure for spf enforcing. You can try setting the TTL for the TXT/SPF statement higher. It may cut back on the queries (unless they do a lookup per email coming in). Probably better to have SPF queries coming in than spammers getting your domain blacklisted.

    Or it could be someone just using their servers will ill intent. Are the servers querying you open to recursion?
    Servers used are:
    67.195.128.48-51
    68.142.209.135-138
    68.142.209.143-146
    68.142.209.151-158
    72.30.192.150-155
    72.30.192.164-171
    74.6.109.17-20
    74.6.109.24-27
    98.139.193.152-159
    I assume these are internal servers, as they do not respond to port 53. Part of the problem is that Yahoo does not check for TXT records, and our DNS does not support type 99 requests. It just rotates through the round robin servers asking the same question several times. I have blocked most of the servers, but it hasn't slowed the onslaught. Yahoo just ignores all my abuse complaints.

    J.A. Coutts
  6. #4
  7. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2011
    Posts
    289
    Rep Power
    45
    New record established yesterday.

    67.195.128.48-51 8,395
    68.142.209.135-138 2,522
    68.142.209.143-146 28,083
    68.142.209.151-158 5,895
    72.30.192.150-155 0
    72.30.192.164-171 11,278
    74.6.109.17-20 3,960
    74.6.109.24-27 4,225
    98.139.193.152-159 14,248
    ------------------ -------
    Total 78,606

    Still no response from Yahoo, even though I have a problem number.

    J.A. Coutts
  8. #5
  9. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2010
    Location
    Florida
    Posts
    248
    Rep Power
    4
    Yeah that seems pretty sketchy. I guess there isn't much you can do except wait or block IP's. I only have a very small test domain I can check queries on and I don't get that. So not sure on this one.
  10. #6
  11. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2011
    Posts
    289
    Rep Power
    45

    Yahoo DNS Abuse continues


    Yesterday, our DNS server received 88,715 requests (97% of all requests) from Yahoo, and I have had absolutely zero non-automated response from Yahoo. The volume is so high that it is starting to flood the NAT table in our router.

    Yahoo appears to be using SPF to delay incoming mail delivery. Our Pseudo SMTP server (which rejects all incoming messages with a 550 error), recorded 88 attempts from various Yahoo mail servers to send a message to very obviously random generated email addresses in our domain. The DNS queries seem highly disproportionate to the rejection messages sent

    Does anyone know if Yahoo uses a Domain Name Block List such as the Spamhaus DBL? I am getting desperate.

    J.A. Coutts
  12. #7
  13. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2011
    Posts
    289
    Rep Power
    45

    Yayoo DNS abuse suddenly stopped


    I have no idea why, but for the last 7 days the bombardment has ceased. Not only that, but there have been zero requests for type 99 or TXT records from anywhere.

    Anyone have any idea what is going on? Has Yahoo abandoned their SPF attempts?

    J.A. Coutts

IMN logo majestic logo threadwatch logo seochat tools logo